China-Based Hacker Hijacked EU, US Government Emails26 Countries Hit by Espionage Group Storm-0558 Through Microsoft Outlook Flaw
Security experts say China-based hackers are "leading their peers in the deployment of zero-days" in the wake of another wide-ranging attack that abused a Microsoft Outlook flaw and used forged authentication tokens to access email accounts of governments in the United States and Western Europe.
Microsoft and U.S. officials confirmed Wednesday that a threat actor based in China had hacked the Outlook email accounts of U.S. government agencies and at least 25 European governments for the purpose of espionage and data theft.
Microsoft said the threat actor, identified as Storm-0558, had been exploiting a token validation issue since May 13 and had used forged authentication tokens to gain access to the email accounts of Western European government agencies that used Outlook Web Access in Exchange Online and Outlook.com. U.S. cybersecurity and defense officials released an advisory warning about the attacks Wednesday but declined to say which agencies had been targeted. The U.S. State Department was reportedly among the victims.
"The Department of State detected anomalous activity, took immediate steps to secure our systems and will continue to closely monitor and quickly respond to any further activity," a State Department spokesperson told CNBC.
U.S. government officials told The Washington Post that Storm-0558 also hacked into Outlook email accounts of the Commerce Department, including that of Commerce Secretary Gina Raimondo. Raimondo is scheduled to visit China this year amid China's demand for the lifting of U.S. sanctions against domestic companies that enforce forced labor in the Xinjiang region.
Microsoft did not name the affected countries or government agencies but said it had started to receive customer reports about anomalous email activity beginning on June 16, and over the next few weeks, it had taken steps to prevent the malicious actor from accessing the compromised email accounts using tokens forged with acquired MSA keys.
"MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor," Microsoft said.
Microsoft has replaced the MSA key to prevent Storm-0558 from using it to forge tokens in the future, blocked the use of all tokens that were signed using the MSA key, and confirmed that the issue only affected Outlook.com and Outlook Web Access in Exchange Online.
China's Growing Hacking Prowess
U.S. Sen. Mark R. Warner, D-Va., chairman of the Senate Select Committee on Intelligence, said the incident underscores the growing threat from hackers in the People's Republic of China.
"It's clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies," Warner said in a statement. "Close coordination between the U.S. government and the private sector will be critical to countering this threat."
Tom Gol, chief technology officer for research at Silicon Valley-based cybersecurity company Armis, told Information Security Media Group that the exploitation of the token validation issue in Outlook and OWA indicates a high level of expertise. "Organizations that use Outlook need to have robust security measures, such as multifactor authentication, strong password policies and regular security audits to defend against a threat of this nature," he said.
Chief Analyst John Hultquist of cybersecurity company Mandiant said the attack shows how China's tactics have evolved from broad campaigns that were far easier to detect to more targeted and stealthy attacks.
"Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us," he said. "They are leading their peers in the deployment of zero-days, and they have carved out a niche by targeting security devices specifically."
Hultquist believes Chinese cyber actors now know how to connect using elaborate, ephemeral proxy networks of compromised systems to make it harder for defenders to track their moves. "The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them," he said.
Timed With EU Meeting on China Strategy
Storm-0558 began targeting Western European government agencies one day after European Union leaders at a meeting in Stockholm discussed ways to recalibrate the EU's policy toward China. The EU on May 17 issued a press release on the subject, calling China its largest trading partner but also a competitor and a systemic rival.
European Commission Vice President Josep Borrell highlighted the EU's "growing risk of excessive dependencies on certain products and critical raw materials" on China and called for the diversification and reconfiguration of EU value chains and controls on inbound investment. "At over 400 billion euros a year, the EU's trade deficit is at an unacceptable level. This is not due to the EU's lack of competitiveness, but to China's deliberate choices and policies," he said.
The European Union in 2021 accused China of harboring cybercriminals who exploited vulnerabilities in the Microsoft Exchange server to target thousands of organizations worldwide, including government agencies and institutions in the EU.
"These activities can be linked to the hacker groups known as APT 40 and APT 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage. The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behavior as endorsed by all UN member states," it said.
US Government Agencies Targeted
The exploitation of a token validation flaw in OWA and Outlook.com by Storm-0558 also affected a limited number of U.S. government agencies. White House National Security Council spokesperson Adam Hodge told CNN that agencies had detected the exploitation in June and continue to work with Microsoft to mitigate its impact.
"Last month, U.S. government safeguards identified an intrusion in Microsoft's cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold," he said.
Microsoft did not mention the targeting of U.S. government agencies in its blog post, but Executive Vice President Charlie Bell said the company is partnering with government agencies, including the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, to protect Microsoft Cloud from intrusion attempts.
"We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access," Bell said.